Security is a ‘state of mind’ and not an end state. It has been a popular philosophical thought, but what it eludes is the fact of investment towards security. IoT has exploded with the onset of new smart tech gadgets. Though businesses today exercise security and safety measures within their organizations, it isn’t easy to keep upgrading an organization’s infrastructure to encompass these technology updates. Reverse engineering systems have always remained the passcode for unlocking backdoors to capitalize on security vulnerabilities. The best example of such a scenario is the 2016 MIRAI botnet attack. The attack caused massive DDoS attacks on large enterprises on Atlanta’s city administration and the ATL airport. IoT still lacks immunity against ransomware attacks and many new age cyberattacks.
In a nutshell, the dictionary of attacks is ever-expanding. The inclusion of new devices within the IoT ecosystem is ever-growing. Tons of sensitive data is getting channeled through these each day. Security has thus, taken centerstage in the IoT world, specifically during these crisis times, to tighten all the loose ends of the modern state of the art infrastructure & legacy technologies.
‘Security to the core’ has become a must in IoT due to the increased attack surface vectors like web interfaces, crypto methods, outdated firmware, intercepting unencrypted comms, and quite common clear text passwords. Hence it is mandated to embed security throughout the IoT supply chain. The landscape of attacks has widened significantly across both hardware and software. Software attack follows the usual protocol of getting access to firmware and analyzing it with few attacker tools. Few popular techniques are binary reversing by means like IDA Pro, finding bugs using Flawfinder, examining firmware by FACT, doing a web test by ZAP or GoBuster, and debugging by GDB. Hardware attacks span mainly into non-invasive attacks, which provide no chip access but only have external signals to intercept semi-invasive attacks, which provide limited access to the hardware and fully invasive attacks with full access to hardware. Mostly practiced non-invasive attacks are hardware fuzzing, timing attacks, hardware glitching, and power analysis aimed towards crashing the device. Semi-invasive attacks involve light emission analysis, which provides a photonic image of the chipset PCB, while fully invasive raids are conducted by linear code extraction.
Industry reports predict the mixed impacts of COVID-19 on the IoT market. From the technology perspective, enterprises are looking at CAPEX reduction over the short term and automating processes to make supply chain and manufacturing more flexible over the long term. Specific IoT applications like remote asset tracking, drones, healthcare, smart cities with easy to install IoT solutions will have an uptake over the coming weeks. Few recent developments have been across digital health companies like Kiska’s connected thermometers, Telehealth’s remote diagnosis, smart helmets with AI-enabled helmet, connected building applications like a video camera with facial recognition and temperature scanning, driverless delivery/street disinfectant technologies & drone companies for disinfectant spraying/meal deliveries. The challenge will be from the demand side than the supply side over the coming few months across below market areas.
From the industrial IoT side, APAC is expected to lead the push for industrial automation, specifically affected countries like China, Japan & South Korea, while EMEA & Americas will be progressing gradually. Business models will be shifted from selling hardware to selling services, and so will be for IoT and security markets. Industry experts suggest the adoption of an outcome-based business model along with free access to services with proof-of-concept based projects can yield better returns over the long run. Current challenges in IIoT implementation are lack of employee skills & knowledge, legacy equipment & infrastructure & ability to collect & derive results from operational data. Healthcare and telehealth markets are looking at a reduced cost of in-person visits and increased adoption of new tools for detecting temperature and social distancing. The entire supply chain is looking to gain insights from inventory and customer demand data exploring new technology options like Blockchain. The focus on security has increased multi-fold, emphasizing the need for safety across hospitals & connected medical devices based on issues like device upgrade and unsecured legacy infrastructure. Both corporate and home networks have collided, giving a push for expansion of remote working environments with secured network connections for desktops, VPNs, and industrial control systems as both industrial and critical infrastructure are under danger of cyberattacks. Hence there has been a push for the ‘secure by design’ principle in setting up new technology plans. Some of the real-life IIoT attacks are UART, where device usually boots into a particular console, U-Boot allows access to the bootloader shell, command injection attack downgrades device to older firmware and EEPROM reading. Few best practices exercised are a timely check of stack overflow, avoid SQL injection of webservers, update firmware over TLS with crypto-signatures, secure sensitive data with token-based identity management, harden toolchains and libraries, keep kernel and frameworks up to date, and devise threat modeling with IDS. Enterprises have been widely focusing on the different facets of IoT security throughout the supply chain right from chip manufacturing to device assembly.
Do you have an upcoming project and wantus to help speed up your time to market?